# HG changeset patch # User Kim Alvefur # Date 1394368956 -3600 # Node ID 100da6a5525ed98ae6e5270d14ce045c402a2530 # Parent 15912b07737095a90557c771860ce3cded92439b mod_s2s_auth_dane: More comment changes diff -r 15912b077370 -r 100da6a5525e mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sat Mar 08 00:00:26 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Mar 09 13:42:36 2014 +0100 @@ -27,6 +27,7 @@ -- Negative or bogus answers -- No SRV records -- No encryption offered +-- Different hostname before and after STARTTLS - mod_s2s should complain -- This function is called when a new SRV target has been picked -- the original function does A/AAAA resolution before continuing @@ -70,7 +71,7 @@ if select == 0 then certdata = pem2der(cert:pem()); elseif select == 1 and cert.pubkey then - certdata = pem2der(cert:pubkey()); + certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec else module:log("warn", "DANE selector %d is unsupported", select); end @@ -97,7 +98,8 @@ end else module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); - -- TODO CA checks needs to loop over the chain and stuff + -- PKIX-TA checks needs to loop over the chain and stuff + -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm end end if not match_found then @@ -117,6 +119,7 @@ if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then -- TLSA record but no TLS, not ok. -- TODO Optional? + -- Bogus replies will trigger this path session:close({ condition = "policy-violation", text = "Encrypted server-to-server communication is required but was not "